TIP 81# : Oracle Forms and new Verisign certificate

After renewing Verisign certificate, you may see an issue with Oracle Forms when it is accessed. I have seen it couple weeks ago after a client renewed its Verisign certificate for Oracle AS : Client could access web server via SSL (e.g. https://servername:port/ was reachable) while accessing the Form server ended with Java exception and SSL handshake failed error message.(e.g. https//servername:port/forms/frmservlet?config=jpi)
I was noticed that Verisign has introduced a two-tier CA hierarchy for Standard SSL Certificates (Called chained cetrtificate sometimes) which changed the old way of having only a root certificate. With this method, Verisign provides Root certificate and also intermediate certiificate.It is interesting to know that Verisign has not been issued any ceritificate since Oct2008 in the old fashion.

Unfortunately, the latest Oracle Jinitiator (despite metalink 456658.1) can not handle new Verisign fashion and if Forms server uses Jinitiator, you may see Java exception and Handshake failure when Forms is accessed. Jinitiator and later (at time of writing this blog, the latest is can not handle the latest intermediate since Verisign keeps changing the intermediate certificate and as Jinitiator support is ended by Jan 31th,2010 (https://support.oracle.com/CSP/main/article?cmd=show&id=761159.1&type=NOT), it does not seem Oracle tries to catch up with the Verisign change.

Based on the environment and diversity of clients, I do recommend the following options :

Option 1 :
Migrate from Jinitiator to Java Plug-in (1.5)
Option 2 :
Migrate to at least Jinitiator
Copy intermediate file to cretdb.txt on each client box

(File is located on {Jinit install folder}\security\lib. (Please be informed that only upgrading jinitiator to the latest version may not work).

No comments: